Protecting your OSX with IPFW and LittleSnitch

So, after posting on twitter about my OSX firewall configuration, a few people asked me to post up a copy of my rules. Now, I’m by no means a OSX expert, an IPFW expert, or a networking expert for that matter…. but this configuration could be useful as a starting point for people.

I use waterroof on my mac to work with firewall configurations, and the following sets of rules should import into Waterroof of IPFW fine.

IPFW IPv4 Rules

add 00010 deny icmp from any to any in
add 00100 allow ip from any to any via lo*
add 00110 deny ip from 127.0.0.0/8 to any in
add 00120 deny ip from any to 127.0.0.0/8 in
add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353
add 00300 deny ip from 224.0.0.0/3 to any in
add 00400 deny tcp from any to 224.0.0.0/3 in
add 00500 deny tcp from any to any dst-port 0 in
add 00600 check-state
add 01000 allow tcp from me to any keep-state
add 01001 allow udp from me to any keep-state
add 25000 allow ip from me to <INSERT VPN HOST HERE>
add 25100 allow ip from <INSERT VPN HOST HERE> to me in
add 33300 deny tcp from any to any established
add 65000 allow udp from any 67 to any dst-port 68 in
add 65100 deny log icmp from any to me in icmptypes 8
add 65200 deny udp from any to any in
add 65300 deny icmp from any to any in
add 65400 deny ip from any to any in
add 65535 allow ip from any to any

IPFW IPv6 Rules

(I disable IPv6 currently)

add 02070 deny ipv6 from any to any
add 33300 deny log ipv6-icmp from any to any in icmptype 128

I also use LittleSnitch to control application level communications. If you’ve not already seen LittleSnitch I’d highly recommend taking a look. It’s not going to replace IPFW anytime soon, but that’s not its goal.

“A firewall protects your computer against unwanted guests from the Internet. But who protects your private data from being sent out? LittleSnitch does!”

Unfortunately LittleSnitch doesn’t have anything like profiles or locations. To get around this I have a standard set of rules I use at home and trusted sites (few and far between), and by backing this ruleset up and wiping the rules, I can stop applications from being able to communicate out unless I accept the request.

LittleSnitch allows various types of acceptance when an application wants to communicate. This gives you the freedom to control the application as you see fit!

I find these two solutions work well for me… hopefully they will for you as well. If you see anything you think might work better, please let me know. I’m always looking to streamline the process!

Updates:

An alternative to LittleSnitch called HandsOff has been suggested by @chadskidmore. It looks interesting as it seems to cover what LittleSnitch does as well as a few more advanced features. I’ll certainly be taking a look at this when I’ve got a chance.

The IPv4 rules I listed above include a couple of rules that you might wish to disable depending on your configuration. It’s up to you, but the first stage is understanding what the rules do. so with that in mind here’s a few rules I listed that you might want to look closer at.

add 00130 allow udp from any to 224.0.0.251 dst-port 5353
add 00140 allow udp from 224.0.0.251 to any dst-port 5353

The above rule will allow mDNS Bonjour communications (UDP 5353). I usually allow this as I do not share anything using this protocol, and I like to see when others on the local LAN are sharing their music collections for me to browse 😉 This might or might not be your thing…

add 65000 allow udp from any 67 to any dst-port 68 in

This rule will allow inbound UDP packets to allow DHCP to work correctly… again, if you’re using a static IP-Address then there’s no reason for this rule to be active.

Filtering all ICMP is non-optimal. Unfortunately, many organizations mistakenly do this, resulting in performance and accessibility problems which are never resolved, resulting in lost productivity for users.

I weighed up the pros and cons when blocking ICMP and decided that for my use, blocking seemed to be the best. However you’re perfectly correct, blocking ICMP is and will be more of an issue (with IPv6 in particular!)

Links

Disclaimer

The contents of this personal blog are solely my own opinions and comments, as such they do not reflect the opinions of my employer(s) past, present or future. No legal liability is accepted for anything you do, think, or consider fact as the basis of articles and links posted on this blog.

"Three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality. Anything you still can’t cope with is therefore your own problem."

Note: A large portion of content I post on my blog comes from "live blogging" of security conferences. These posts are in notes form and are written live during a talk. As such errors and emissions are expected. I'm only human after all!